Edward Snowden talks with Jane Mayer via satellite at the 15th Annual New Yorker Festival on Oct. 11, 2014, in New York. (Christopher Lane/AP Images for The New Yorker)

(Newser)
–
Edward Snowden recommended last week that people use longer "passphrases" instead of passwords for extra security. One of his suggestions: something unusual and counterintuitive like "MargaretThatcheris110%SEXY." But cryptography expert Joseph Bonneau tells Andy Greenberg, writing for Wired, why Snowden's approach leaves much to be desired. To wit:

It's the randomness of the password (or phrase), not the length of it, that will throw people. "Just because something's a phrase and it's longer, people get fixated on that," Bonneau says. "The length doesn't mean that much to your adversary."

Bonneau notes that Snowden's tactic might work if you're dealing with a service provider that shuts hackers down after just a few attempts. But if the bad guys are trying to get into your computer, they could go to town indefinitely (and will be more likely to eventually figure out the password).

In Bonneau's own study, the code-cracking ace found that even unusual user-chosen combinations follow certain linguistic patterns, and the right algorithm can pick up on those. The same applies to using mnemonic devices.

What Bonneau says may work: using a "throw the dice" method that more randomly assigns words to passphrases, in order to come up with a password or passphrase that truly makes no sense.

Most crack attacks that happen will be brute force and thus the longer the password or phrase the better. For a supposed expert he should know his argument is wrong. He should look at https://xkcd.com/936/ to see why.

EdCoulter

Apr 15, 2015 8:00 PM CDT

Does it seem strange to anyone else that we are talking about this, but not the scores of spyware programs that Edward Snowden has revealed?

BabsonTask

Apr 15, 2015 12:52 AM CDT

"MargaretThatcheris110%SEXY" was the suggestion of John Oliver, not Snowden.